path: root/manual/html_node/SRP-credentials.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.4.8 of GnuTLS.

Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.  A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.0, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.4.8: SRP credentials</title>

<meta name="description" content="GnuTLS 3.4.8: SRP credentials">
<meta name="keywords" content="GnuTLS 3.4.8: SRP credentials">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Associating-the-credentials.html#Associating-the-credentials" rel="up" title="Associating the credentials">
<link href="PSK-credentials.html#PSK-credentials" rel="next" title="PSK credentials">
<link href="Certificate-credentials.html#Certificate-credentials" rel="prev" title="Certificate credentials">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nocodebreak {white-space: nowrap}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: serif; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body { 
	margin: 2%;
	padding: 0 5%;
	background: #ffffff;
}
h1,h2,h3,h4,h5 {
    font-weight: bold;
    padding: 5px 5px 5px 5px;
    background-color: #c2e0ff;
    color: #336699;
}
h1 {
    padding: 2em 2em 2em 5%;
    color: white;
    background: #336699;
    text-align: center;
    letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
  margin: 0 5%;
  padding: 0.5em;
}
pre.example,pre.verbatim {
  padding-bottom: 1em;

  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 1px 1px 1px 5px;
  margin: 1em auto;
  width: 90%;
}

div.node {
  margin: 0 -5% 0 -2%;
  padding: 0.5em 0.5em;
  margin-top: 0.5em;
  margin-bottom: 0.5em;
  font-weight: bold;
}
dd, li {
  padding-top: 0.1em;
  padding-bottom: 0.1em;
}
div.float {

  margin-bottom: 0.5em;
  text-align: center;
}

table {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  border-spacing: 7px;
  width: 50%;
}

th {
  padding: 0;
  color: #336699;
  background-color: #c2e0ff;
  border: solid #000000;
  border-width: 0px;
  margin: 1em auto;
  text-align: center;
  margin-left:auto;
  margin-right:auto;
}

td {
  padding: 0;
  border: solid #000000;
  background-color: #f0faff;
  border-width: 0px;
  margin: 1em auto;
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  padding-left: 1em;
}

dl {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  width: 50%;

  padding-left: 1em;
  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 5px 1px 1px 1px;
  margin: 1em auto;
}

-->
</style>


</head>

<body lang="en">
<a name="SRP-credentials"></a>
<div class="header">
<p>
Next: <a href="PSK-credentials.html#PSK-credentials" accesskey="n" rel="next">PSK credentials</a>, Previous: <a href="Certificate-credentials.html#Certificate-credentials" accesskey="p" rel="prev">Certificate credentials</a>, Up: <a href="Associating-the-credentials.html#Associating-the-credentials" accesskey="u" rel="up">Associating the credentials</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="SRP"></a>
<h4 class="subsection">6.4.2 SRP</h4>

<p>The initialization functions in SRP credentials differ between
client and server.
Clients supporting <acronym>SRP</acronym> should set the username and password
prior to connection, to the credentials structure.
Alternatively <a href="Core-TLS-API.html#gnutls_005fsrp_005fset_005fclient_005fcredentials_005ffunction">gnutls_srp_set_client_credentials_function</a>
may be used instead, to specify a callback function that should return the
SRP username and password.
The callback is called once during the <acronym>TLS</acronym> handshake.
</p>
<dl compact="compact">
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fsrp_005fallocate_005fserver_005fcredentials">gnutls_srp_allocate_server_credentials</a> (gnutls_srp_server_credentials_t *            <var>sc</var>)</code></dt>
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fsrp_005fallocate_005fclient_005fcredentials">gnutls_srp_allocate_client_credentials</a> (gnutls_srp_client_credentials_t *            <var>sc</var>)</code></dt>
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fsrp_005ffree_005fserver_005fcredentials">gnutls_srp_free_server_credentials</a> (gnutls_srp_server_credentials_t <var>sc</var>)</code></dt>
<dt><code><var>void</var> <a href="Core-TLS-API.html#gnutls_005fsrp_005ffree_005fclient_005fcredentials">gnutls_srp_free_client_credentials</a> (gnutls_srp_client_credentials_t <var>sc</var>)</code></dt>
<dt><code><var>int</var> <a href="Core-TLS-API.html#gnutls_005fsrp_005fset_005fclient_005fcredentials">gnutls_srp_set_client_credentials</a> (gnutls_srp_client_credentials_t <var>res</var>, const char * <var>username</var>, const char * <var>password</var>)</code></dt>
</dl>





<dl>
<dt><a name="index-gnutls_005fsrp_005fset_005fclient_005fcredentials_005ffunction"></a>Function: <em>void</em> <strong>gnutls_srp_set_client_credentials_function</strong> <em>(gnutls_srp_client_credentials_t         <var>cred</var>, gnutls_srp_client_credentials_function         * <var>func</var>)</em></dt>
<dd><p><var>cred</var>: is a <code>gnutls_srp_server_credentials_t</code>  type.
</p>
<p><var>func</var>: is the callback function
</p>
<p>This function can be used to set a callback to retrieve the
username and password for client SRP authentication.  The
callback&rsquo;s function form is:
</p>
<p>int (*callback)(gnutls_session_t, char** username, char**password);
</p>
<p>The  <code>username</code> and  <code>password</code> must be allocated using
<code>gnutls_malloc()</code> .   <code>username</code> and  <code>password</code> should be ASCII strings
or UTF-8 strings prepared using the &quot;SASLprep&quot; profile of
&quot;stringprep&quot;.
</p>
<p>The callback function will be called once per handshake before the
initial hello message is sent.
</p>
<p>The callback should not return a negative error code the second
time called, since the handshake procedure will be aborted.
</p>
<p>The callback function should return 0 on success.
-1 indicates an error.
</p></dd></dl>

<p>In server side the default behavior of <acronym>GnuTLS</acronym> is to read
the usernames and <acronym>SRP</acronym> verifiers from password files. These
password file format is compatible the with the <em>Stanford srp libraries</em>
format.  If a different password file format is to be used, then 
<a href="Core-TLS-API.html#gnutls_005fsrp_005fset_005fserver_005fcredentials_005ffunction">gnutls_srp_set_server_credentials_function</a> should be called,
to set an appropriate callback. 
</p>




<dl>
<dt><a name="index-gnutls_005fsrp_005fset_005fserver_005fcredentials_005ffile"></a>Function: <em>int</em> <strong>gnutls_srp_set_server_credentials_file</strong> <em>(gnutls_srp_server_credentials_t <var>res</var>, const char * <var>password_file</var>, const char * <var>password_conf_file</var>)</em></dt>
<dd><p><var>res</var>: is a <code>gnutls_srp_server_credentials_t</code>  type.
</p>
<p><var>password_file</var>: is the SRP password file (tpasswd)
</p>
<p><var>password_conf_file</var>: is the SRP password conf file (tpasswd.conf)
</p>
<p>This function sets the password files, in a
<code>gnutls_srp_server_credentials_t</code>  type.  Those password files
hold usernames and verifiers and will be used for SRP
authentication.
</p>
<p><strong>Returns:</strong> On success, <code>GNUTLS_E_SUCCESS</code>  (0) is returned, or an
error code.
</p></dd></dl>





<dl>
<dt><a name="index-gnutls_005fsrp_005fset_005fserver_005fcredentials_005ffunction"></a>Function: <em>void</em> <strong>gnutls_srp_set_server_credentials_function</strong> <em>(gnutls_srp_server_credentials_t         <var>cred</var>, gnutls_srp_server_credentials_function         * <var>func</var>)</em></dt>
<dd><p><var>cred</var>: is a <code>gnutls_srp_server_credentials_t</code>  type.
</p>
<p><var>func</var>: is the callback function
</p>
<p>This function can be used to set a callback to retrieve the user&rsquo;s
SRP credentials.  The callback&rsquo;s function form is:
</p>
<p>int (*callback)(gnutls_session_t, const char* username,
gnutls_datum_t *salt, gnutls_datum_t *verifier, gnutls_datum_t *generator,
gnutls_datum_t *prime);
</p>
<p><code>username</code> contains the actual username.
The  <code>salt</code> ,  <code>verifier</code> ,  <code>generator</code> and  <code>prime</code> must be filled
in using the <code>gnutls_malloc()</code> . For convenience  <code>prime</code> and  <code>generator</code> may also be one of the static parameters defined in gnutls.h.
</p>
<p>Initially, the data field is NULL in every <code>gnutls_datum_t</code> 
structure that the callback has to fill in. When the
callback is done GnuTLS deallocates all of those buffers
which are non-NULL, regardless of the return value.
</p>
<p>In order to prevent attackers from guessing valid usernames,
if a user does not exist, g and n values should be filled in
using a random user&rsquo;s parameters. In that case the callback must
return the special value (1).
See <code>gnutls_srp_set_server_fake_salt_seed</code>  too.
If this is not required for your application, return a negative
number from the callback to abort the handshake.
</p>
<p>The callback function will only be called once per handshake.
The callback function should return 0 on success, while
-1 indicates an error.
</p></dd></dl>


<hr>
<div class="header">
<p>
Next: <a href="PSK-credentials.html#PSK-credentials" accesskey="n" rel="next">PSK credentials</a>, Previous: <a href="Certificate-credentials.html#Certificate-credentials" accesskey="p" rel="prev">Certificate credentials</a>, Up: <a href="Associating-the-credentials.html#Associating-the-credentials" accesskey="u" rel="up">Associating the credentials</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>



</body>
</html>